We have received a payment from you for the sum of £ 686. Please would you provide me with a remittance, in order for me to reconcile the statement.

I will be sending you a statement of outstanding invoices tomorrow, the total amount outstanding is £ 1564 less the £3254.00 received making a total outstanding of £ 878. We would very much appreciate settlement of this.

As previously mentioned, we changed entity to a limited company on 1st December 2014. We are keen to close all the old accounts down, for both tax and year end reasons. We would be very grateful in your assistance in settling the outstanding.

Please find attached a remittance advice, relating to a payment made to you.

Many thanks

Regards,

Jimmie Cooley
Seniour Finance Assistant

Each attachment is slightly different, but does contain the name of the recipient plus a random number (e.g. it-dept_0E78A3A5700B.doc). The payload is meant to be a multi-part MIME file, but many are corrupt and are either Base 64 encoded or are "404 Not Found" files.

If the file is correctly format, it should behave similarly to this Hybrid Analysis report, which says that it connects to several different IPs, but crucially also it downloads a malicious executable from 91.226.93[.]110/bt/get1.php (Sobis, Russia) and saves it as crypted.120.exe.

This malicious executable has a detection rate of 2/56 and the Malwr report says that it communicates with 46.36.217.227 (FastVPS, Estonia) and drops a Dridex DLL with a detection rate of 22/56.